Posted
by
kdawson
on Tuesday March 09, 2010 @02:22AM
from the you-and-whose-army dept.

Hugh Pickens writes "Network World summarizes an RSA Conference panel discussion in which former NSA technical director Brian Snow said that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years, but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt. 'I do believe NSA is still ahead, but not by much — a handful of years,' says Snow. 'I think we've got the edge still.' Snow added that that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. 'Now we are very close together and moving very slowly forward in a mature field.' The NSA has one key advantage (besides their deep staff of Ph.D. mathematicians and other cryptographic experts who work on securing traffic and breaking codes): 'We cheat. We get to read what [academics] publish. We do not publish what we research,' he said. Snow's claim of NSA superiority seemed to rankle some members on the panel. Adi Shamir, the "S" in the RSA encryption algorithm, said that when the titles of papers in NSA technical journals were declassified up to 1983, none of them included public key encryption; 'That demonstrates that NSA was behind,' said Shamir. Snow replied that when technologies are developed separately in parallel, the developers don't necessarily use the same terms for them."

It occurs to me to think that real encryption is not beatable, but workable encryption is. The problem is not who has the best or admits to not having it, it's who has best real encryption that is workable between arbitrary peers. I can easily encrypt a drive that you will NEVER decrypt, but then neither will I be able to. It's the secrecy of the key that is the quest, not the encryption particularly. Hiding the key when it is shared publicly is a problem, will always be a problem, and the race is not necessarily one brain trust against another for the best hiding technique, but rather a race to figure out the best way to hide it for a reasonable amount of time from the most people. The fastest car on the planet is not declared the Indy500 winner, only the car that conforms to the rules of the race is. This race is not winable in the long term, and only valid as a race in the very short term. Don't count on your encrypted hard drive to protect your data from everyone, for all time. That's simply not going to happen.

I don't think hiding the key has been a problem. Public-key cryptography already enables the other key to be publicly known and it doesn't reveal the private key required to encrypt in that. Also if you're using password based key, then obviously you cannot make it public. In the end all of the cryptos are breakable by brute-forcing, it's just about making that part harder. Currently "breaking" the encryption techniques have been mostly about trying to lower the amount of brute-forcing you need to do. The r

If you encrypt your drive using a one time pad then, yes, it is encrypted and safe for all time and is provably unreadable without someone having the key. Of course, if it's a 1TB drive, then you need a 1TB key, and you can only use it once...

You don't think someone, given enough time, would be able to brute-force your password? The use of Never in zeppepcs post would imply he means literally NEVER. Not "in a reasonable amount of time" or "within a timeframe that the information stored is still valuable" but NEVER IN ALL TIME!!!

A 256 bit key has 2^256 possibilities. That's 1.15x10^77 possibilities. If you can try 10 million keys in a second, then you "only" need 1.15x10^70th seconds. If you can multiply that speed by a factor of a thousand, then you "only" need 1.15x10^67th seconds. That's 3.67x10^59th years. The universe is only 1.3x10^10 years old.

So never is more than fair. You would literally have to generate universes to generate universes to decrypt via brute force. By our current understanding of reality, impossible is correct, and anything shy of that is literally science ficition.

Somes love to memorise thousands of digits of PI. Why it could not be conceivable to memorise only 256 bits or 64 Hex digits or 50 [A-Z0-9] chars or 43 [A-Za-z0-9] chars... I know i could not memorise something like that, but some people can.

> I'm assuming we're talking a 256 character long password.> Because I'd sure love to see someone memorise a string of 1 and 0 that is 256 digits long.

1 Character != 1 Bit of entropy.

But anyway...with a diceware-like approach (http://www.diceware.com) you'll get approximately 12.92 bits of entropy per randomly chosen word. So you'd need only 20 words from the diceware list for your passphrase to actually match and surpass the 256-bit security of the underlying crypto algorithm. 20 words are not that h

Because I'd sure love to see someone memorise a string of 1 and 0 that is 256 digits long.

You don't memorise ones and zeros, you pack them into characters.

The life that I have is all that I haveAnd the life that I have is yoursThe love that I have of the life that I haveIs yours and yours and yours.A sleep I shall have, a rest I shall haveYet death will be but a pauseFor the peace of my years in the long green grassWill be yours and yours and yours.

306 characters: far far more than is needed.

The author of the poem was a truly remarkable man who led an amazing life.

Wait, I'm assuming we're talking a 256 character long password. Because I'd sure love to see someone memorise a string of 1 and 0 that is 256 digits long.

Three hours later and no one noticed his post was 155 characters long (at least wc -l claims that). You can look at that as about 8 bits per byte of raw very non random data, giving 1240 bits of nonrandom data and he only needs 256 bits. Pessimistically you might pull 2 bits of randomness out per byte, yielding a whopping 310 bits of randomness. Anyway, thats more than enough to feed a hash function to get a nice even 256 bits. I pushed his post thru sha256sum and got the following 256 bit hash:

You insensitive clod, he's BRITISH! He can't help it... not even their teachers know how to spell. The most a very bright and motivated student can hope for is ox training classes in Cambridge. Just leave him alone!

A 256 bit key has 2^256 possibilities. That's 1.15x10^77 possibilities. If you can try 10 million keys in a second, then you "only" need 1.15x10^70th seconds. If you can multiply that speed by a factor of a thousand, then you "only" need 1.15x10^67th seconds. That's 3.67x10^59th years. The universe is only 1.3x10^10 years old.

So never is more than fair. You would literally have to generate universes to generate universes to decrypt via brute force. By our current understanding of reality, impossible is correct, and anything shy of that is literally science ficition.

Uh, no. You are assuming that things will always work the way that they do. By that I mean, presumably, you think 10 million keys is a lot of keys, but what if we could test 2^256 keys per second? Then it's easily decrypted. Obviously given the way we currently do things that's not possible but we may be able to do it with quantum computing (or maybe not). Finally, if you are so keen on constraining things according to the real world, then it's unlikely we'd need to resort to brute-force. All encrypti

If there was a way to direct the key search to one of the potential keys that could decrypt the ciphertext into some meaningful plaintext, i.e. selection, then one could break the encryption in a more feasible time frame.

Are you aware that randomly generating a specific protein is much more difficult than that? I've heard a number around 1 in 10^113. That would be just ONE of the proteins we need for life.

So. Either it needs to be rethought what is actually numerically possible, or that the genetic make-up of life was guided by chance.

But that is randomly generating a specific protein without working from an earlier protein. Asimov called that the hemoglobin number and used it as an example of why evolution could not work using blind chance. Hemoglobin is just part of a family of proteins called globins and the actual differences among them are relatively small. The evolution of hemoglobin did not happen by chance all in one step but by accumulating change via many much smaller steps from an existing protein.

Strong cryptographic algorithms are specifically designed to be resistant to the type of analysis which would allow you to derive parts of the key until you have the whole thing. Either you have it all, or you have nothing. Evolution of proteins does not work that way.

You fallaciously assume decryption will *always* require trying *every* possible key -- you could get lucky and get the correct key on the first attempt. You don't "only" need 1.15E70 seconds, you need "at most" 1.15E70 seconds.

I don't think "never" should be used in this case. My understanding of the subject is lacking, but I believe that some of the appeal of quantum computing is that a qbit computer can represent all states at once. While I don't know how the q-computer can be used to test against the encrypted drive, if the alternate timeframe is 10^59th years my guess is they will figure out how to use the q-computer for this before then. While it is not a traditional "test, increment, test again" brute force methodology, a

A 256 bit key has 2^256 possibilities. That's 1.15x10^77 possibilities. If you can try 10 million keys in a second, then you "only" need 1.15x10^70th seconds. If you can multiply that speed by a factor of a thousand, then you "only" need 1.15x10^67th seconds. That's 3.67x10^59th years. The universe is only 1.3x10^10 years old.

Wrong. You only are likely to need that time. A random key in that keyspace, however, might be the fifth one you try, or the five millionth one, or might be the very last one you try.

You don't think someone, given enough time, would be able to brute-force your password? The use of Never in zeppepcs post would imply he means literally NEVER. Not "in a reasonable amount of time" or "within a timeframe that the information stored is still valuable" but NEVER IN ALL TIME!!!

No, and there's good physical arguments to "NEVER IN ALL TIME!!!" despiate your attempts at hyperbole. Currently the best theories we got suggests there's a lower entropy limit of kT*ln 2 (the Von Neumann-Landauer limit) per operation, which is on the order of 10^-23 joule. The energy of the sun via E=mc^2 is on the order of 10^47 joule. So at most you can do is 10^70 operations but 2^256 = ~10^77. In other words you can't get through the keyspace before you run out of energy, even taking ideal assumptions.

Currently the best theories we got suggests there's a lower entropy limit of kT*ln 2 (the Von Neumann-Landauer limit) per operation, which is on the order of 10^-23 joule. The energy of the sun via E=mc^2 is on the order of 10^47 joule. So at most you can do is 10^70 operations but 2^256 = ~10^77. In other words you can't get through the keyspace before you run out of energy, even taking ideal assumptions.

Well, if your strategy is guess and check, sure, OK. Wouldn't this plan be a hell of a lot cheaper:

Estimate the total number of operations a genius level human brain can accomplish per second. I will be wildly optimistic and give it 10^3. Lets assume all thought is directed toward crypto and no daydreaming about the young lady working in accounting, or arguing about which was better, Kirk or Picard.

Estimate the age of the NSA. Wikipedia claims formed in 1952 but theres plenty of cloak and dagger stuff going on before, so we'll round it to 10^3 years

Estimate the total number of geniuses the NSA has hired over the years. The holy font of all wisdom, wikipedia, claims the number of employees is classified. However, they claim there's 18000 parking spaces at HQ. What the hell they do with 18K people is a mystery to me. My guess is theres 17990 supervisors, managers, directors, HR personnel, diversity directors, marketing personnel, and other executives and about 10 guys with pocket protectors doing all the work, in between their slashdot breaks. But lets say on a very long term average they have 10^5 geniuses working at any given instant.

Lets further assume they never eat, sleep, have sex (duh, they're math majors). That gives us 31 million seconds per year. Well, we'll round that down for time to watch star trek reruns, eat pizza rolls, and read slashdot, so call it 10^7 seconds per year.

So, you need to do about 10^3 * 10^3 * 10*5 * 10^7 = about 10^18 crypto related thought operations over the total lifetime of the NSA.

In conclusion, you need to run WELL under 10^18 thought operations to figure out the back door they put into your encryption algorithm and/or reverse engineer their top secret decryption technology. A wee bit less than your 10^70 operations required to brute force one message. Plus, when you crack the entire algorithm, you've cracked all messages ever sent with it, not just one message.

Well, the post I was replying to said brute force and that's pretty much the definition of brute force.

In conclusion, you need to run WELL under 10^18 thought operations to figure out the back door they put into your encryption algorithm and/or reverse engineer their top secret decryption technology. A wee bit less than your 10^70 operations required to brute force one message. Plus, when you crack the entire algorithm, you've cracked all messages ever sent with it, not just one message.

Uh, wtf kind of logic is that? Since the 1960s millions of people have thought of a "warp drive", that doesn't make it possible. For example, take the RSA algorithm. It depends on p*q = n being trivial to do just like you learned in elementary school, while factoring n to p*q is something mathematicians have spent 2200 years on and not found a really good way of doing. Symmetric encryption is probably even

Let's be honest if a key resides on my head then the kind of 'brute force' method of recovery is likely to hit against my singular lack of resolve - being a geek and not a spy I don't tend to fare well under torture!

Except he's (more or less) right. James Ellis, at GCHQ (roughly the UK equivalent of NSA) had developed the basics of public key cryptography by the end of 1969. This was about 6 years ahead of Diffie Hellman and Merkle. In 1973, a GCHQ cryptographer, Clifford Cocks, realized that one-way functions would be an elegant way of achieving Ellis' insight. See http://cryptome.org/ukpk-alt.htm [cryptome.org] for example. This was some years ahead of RSA.

GCHQ and the NSA definitely would have exchanged this information. It's also quite possible that the US made some of these breakthroughs even earlier than the British; I've not paid much attention to anything NSA-related that has declassified in the last 5+ years.

Agreed! PK crypto, block ciphers, etc., was in my Elementary Number Theory textbook (1984, Kenneth Rosen). No freakin' way NSA didn't know how to do that before 1983--as he said, if it's not in a title, then they called it something else.

While it is true that it would not be in his interest to admit if they are beat that does not imply that they are beat. And you would have to be an idiot to believe that they are. To pick up on three points from the video:

They employ several hundred PhDs and have a budget that would make any company or university in the sector weep.

They can read the literature and take ideas but don't have to reciprocate by publishing their work.

They are not handicapped by inconveniences like the law when it comes to exper

Exactly. The USA intelligence agencies have shown their moronity and so many occasions. I'm not sure which is their greatest hit: helping traffic cocaine into American cities to fund arms transfers to Iran OR helping Osama Bin Laden build and develop the Al-Qaeda network. The NSA/CIA/FBI might be able to catch child porn wankers and craigslist hookers but the Chinese/Israelis/Indians will eat them for lunch. Go to a computer science dept. anywhere: You will see almost all Phd students are Chinese/Jewish/Ind

They are all learning from US books under US profs and going back home with US ideas...
Its just the old cold war idea of get them young.
Years later your "Chinese/Jewish/Indian" is going to sit in front of a mutil billion $ contract with a local build %.
If trained in the US who do you think they will recall fondly ?
France, Italy, Brazil, Germany, Russia?
The USA hopes years of quality education will give them that "reality distortion" edge.
Then when they sign up for a few billions of $ worth of US har

Let me tell you from firsthand experience. You cannot even fathom the awesomeness that goes on inside the cube unless you work there. It is not like Hollywood portrays it, but there is a whole lot of cool going on in there. That is why people work for the NSA. Now, I have philosophical disagreements with how the NSA ran business during the Bush years and I left that industry for aerospace. That being said if any of my former colleagues tell me that things have changed I think that I would go back.

99.9% of the world's population is, well, the bottom 99.9% of the world. We're talking about the very smartest and most gifted people. The sort that shouldn't be happy if they do not achieve something.

Who says the best always have to get their kicks off with public masturbation? While they may never be able to publish, it is also quite likely they will be exposed to concepts and ideas they never would have had the chance to be exposed to otherwise. I'm sure a very large percentage of these sorts of people are driven by a desire to self-improve.

99.9% of the world's population is, well, the bottom 99.9% of the world. We're talking about the very smartest and most gifted people. The sort that shouldn't be happy if they do not achieve something.

You are confusing genius with ambition. Not all geniuses want to take over the world. Some just want to lead a happy life.

Sure, I accept that the toys are great, but scientifically? It's time wasted.
At some point people are going to ask
what did you accomplish?

If you're a mathematician especially, you'll have nothing to show for it, and if your reports ever get published
in the future, they'll be long obsolete and irrelevant.

Who cares? You're getting paid to do what you love and are provided with all the toys you can think of to do that stuff with. If I was a mathematician, I wouldn't really consider that sort of job to be unfulfilling. (Ethical and moral dilemmas are another matter.)

At some point people are going to ask what did you accomplish?If you're a mathematician especially, you'll have nothing to show for it

"I could tell you, but then I'd have to kill you afterwards". And to be honest, I doubt anyone with "Mathematician, NSA" on their CV will ever have trouble finding work. Lots of others with science degrees work for private research, you'll just be another one of those.

If you're a mathematician especially, you'll have nothing to show for it

So you can't brag to your friends, you can still feel quite fulfilled knowing that your work is not only important, American (or your home nation, for other intelligence agencies) lives may be saved by your hard work.

Furthering science isn't the only way a scientist, engineer, or mathemetician can feel fulfilled.

Considering the way the NSA has behaved in the last 9 years, I'd say it was way more likely that your work would be used to spy on innocent Americans, prop up phony wars, gather dirt on Administration political opponents, etc.

You mean, considering the reports we have heard. There's a pretty obvious selection bias, in that only the illegal activities (which there certainly are, sanctioned or otherwise) will be notable enough to publish and publicize. I highly doubt that illegal activities accounted for more than 1% of work performed by the NSA (again, including both sanctioned and unsanctioned activities), let alone 51% for cryptologic work to be 'more likely' to be used illegaly.

You cannot even fathom the awesomeness that goes on inside the cube...there is a whole lot of cool going on in there

But not, apparently, a lot of grown up usage of the English language.

Some people like knowing things that other people don't know and having secrets. Some people like adding to the store of human knowledge, and knowing that they have left the world a slightly better informed or capable place. Personally, I know from experience which type I prefer to work with, and it's not the "I'm a member o

[D]irector Brian Snow said that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years.

Until a working quantum computer is made.

That's just what they want you to think. Secretly, they already have a quantum computer that can decrypt anything near-instantly. They call it TRANSLTR. Okay, maybe not, but it would make a great Dan Brown novel [wikipedia.org].

The US was only willing to share nuclear weapon designs with the UK after it became clear that the UK was quite capable of designing and building its own nukes - and even then, it was on the condition that the US effectively still owned them and had control of their use.

The US does not have "ownership" of UK nukes and certainly doesn't have hard controls that could stop them being used if the UK wanted to but the US didn't. Royal Navy Trident submarine commanders still have the ability to launch under their own authority (albeit with plenty of procedural controls, involving hand written letters and BBC Radio 4).

Crypto's not the weak link in security anymore, nor has it been for a long time. I think the real security money now is in automated (or proven) software verification and model checking. Private industry is only beginning to understand this, and as a whole, probably will not employ it for some time to come. Why bother testing for security errors when you can prove they don't exist?

If the key-size is adequate, then yes. I am. You can not brute force a 256bit symmetric key cipher, not on this planet anyways. I defy you to aquire all of the power that would be needed to make modern computers count from 0 to 2^256. That number is a hell of a lot bigger than I think you think it is.

Now, could the NSA be using other, perhaps unknown attacks, on things like AES256? That's entirely possible, but they are not brute forcing it.

Nah. The money is now in electromagnetic remote sensing; reading your screen and listening to your keyboard from a mile away. That, and psy-ops. Humans still control keys. Humans always make at least one mistake. Google's mail accounts were cracked because their subjects could be coaxed to visit malicious websites, after all.

"I think the real security money now is in automated (or proven) software verification and model checking. Private industry is only beginning to understand this, and as a whole, probably will not employ it for some time to come. Why bother testing for security errors when you can prove they don't exist?"

Yeah, we were laughing about this in my college CS classes 20 years ago. So the drunken party's back again, eh?

> > I think the real security money now is in automated (or proven) software verification and model checking.> > Why bother testing for security errors when you can prove they don't exist?"> Yeah, we were laughing about this in my college CS classes 20 years ago. So the drunken party's back again, eh?Yeah, why bother testing his slashdot post for errors if he can prove (via "post verification and checking") that his post on Slashdot was exactly what he wanted to post?

> cryptographers for the NSA have been losing ground to their> counterparts in universities and commercial security vendors for> 20 years, but still maintain the upper hand in the sophistication> of their crypto schemes and in their ability to decrypt.

Where the NSA certainly has 'maintained the upper hand' is in reallife versus ordinary people. The technology of surveillance hasgotten orders of a magnitude better and surrounding laws have beenadapted to make it fully legal to use that technology to the maxagainst The People (whereever they may be). Who in this discussionencrypts their e-mails or uses 'sophisticated crypto schemes' as amatter of course? At best it's maybe SSH here and there and theoccasional SSL site. The vast majority of traffic is plain-text, asit's been since the days of papyrus. Hell, back in those days atleast only a few people could read it and thus had better privacythan we mostly have today. Nevermind the ramifications of Facebookand similar tools.

Mr. Shamir can engage in discussions of who developed Public KeyCryptography first or not. It's all nonsense, because as brilliantas the concept is, the PUBLIC has no part in it to 99.99% andtherefore we can consider it a complete FAILURE on grounds of lackof acceptance and widespread use. Meanwhile the NSA sits back andlaughs, as their electronic tentacles filter through PUBLIC('s)traffic...any traffic...and mostly doesn't have to bother withbreaking anything. Cuz we 'oh-so-clever' geeks have failedmiserably. If the NSA has any problem, then it's to store andprocess/search through the data they get...not the acquisition.

> I'm never happy with the way my browser handles line-breaking, so I'm> eternally grateful to you for taking the initiative and doing it yourself.

More a result of using an external editor. And even though I have a feeling youwere being ironic, I DO find it easier to read with a normal line-length, asopposed to reading across the whole damn (wide)screen.;-)

And even though I have a feeling you were being ironic, I DO find it easier to read with a normal line-length, as opposed to reading across the whole damn (wide)screen.;-)

A friendly suggestion: with flowed content such as html you should never impose linebreaks for non-formatting purposes, i.e. you could use them with code or poems. Otherwise one line equals one paragraph. Your editor can surely soft-wrap the display while retaining proper flow in the text.

This will soft-wrap the lines.The written text will still go to the end of the editor/display though. Haven't yet found a way to limit the line length (say, 70 characters) for easy reading, yet still have it only soft-wrapped for final posting to/..

That's absolutely true. In addition to brute-force decryption and other methods, the NSA has discovered what scammers have known all along. You don't need to decrypt someone's stuff if they'll give you the keys themselves. It's easier to compromise someone's box and keylog their keys than it is to decrupt the information by force.

The NSA spends a tremendous amount of effort on social engineering and subversive key acquisition. Those methods are much faster and easier.

If the NSA has any problem, then it's to store and process/search through the data they get...not the acquisition.

Well that, and interagency cooperation, which the Department of Homeland Security was designed to fix. Instead, it now pursues its own agenda and has proven counterproductive towards those ends. The value of intelligence is not in whether or not you can acquire the information, but whether you can do so in a timely and reliable fashion, and have the resources to analyze it to determine trends, form conclusions, and execute decisions in a timely manner. Intelligence operations don't have a defined start and

'We cheat. We get to read what [academics] publish. We do not publish what we research,'

That's all well and good for cryptanalysis, which is more or less provable, but for new encryption algorithms the more eyes you have looking at your algorithm the more certain you can be of its strengths. Not letting people look at your encryption algorithms seems to be relying on security through obscurity.

'We cheat. We get to read what [academics] publish. We do not publish what we research,'

That's all well and good for cryptanalysis, which is more or less provable, but for new encryption algorithms the more eyes you have looking at your algorithm the more certain you can be of its strengths. Not letting people look at your encryption algorithms seems to be relying on security through obscurity.

It isn't about security through obscurity. They are cheating because they get ideas from the academics but don't have to return the favor. It becomes a pull relationship and ignores the push.

Think of it this way (with made up stats), NSA has 40% of all available industry resources and ideas, while the academics have the remaining 60%. So, while the NSA only has 40% but gets to view 100%, while academics have 60% but are stuck at 60%. If you use your position of power to use all available resources, even

'I do believe NSA is still ahead, but not by much -- a handful of years,' says Snow. 'I think we've got the edge still.'

Slashdot headline:

NSA Still Ahead In Crypto, But Not By Much

Sorry, Snow. But someone “thinking” that something is that way, has nothing to do with what it actually is.There are people out there who still “think” that earth is flat, the sun revolves around it, and that there is a bearded man in the sky.

Then again, if you follow the money/power, you realize quickly, why that empty and pointless quote gets thrown around the Internet...Yeees NSA... you’re still the best... mama still loves you... really! *pat-pat*;)

I wish that NO agency of any country is “ahead” in crypto. It’s like saying that Jack the Ripper is still ahead of the police. Not a world you want to live in.

Yeah, but the way most intelligence services work is that it's not like the employees show up at the NSA building every day and sit in a cubicle doing encryption research. At least with the CIA and DOD they just put civilian academic researchers on the payroll and get "first dibs" on new stuff and also get to direct their research. The CIA does this with journalists too. They still work at the NY Times etc. but the CIA sees all their information first and decides what will get printed and what will stay pri